Filter with more than one possible match?

andre22 · March 22, 2022, 8:16am

Hi,

I'm running the Elastic stack 8.1

I want to create a filter that has more than one condition and therefore avoid creating the same filter for all possibilities again and again. An example: I want the IF condition to apply when the field "method" contains one of these values: "reply", "reply[A]", "reply[AAAA]".

My last attempt looks like this:

if [method] == ["reply", "reply[A]", "reply[AAA]"]  {
  grok {...

but it doesn't seem to work.

In another filter, I would like to query wether the tag content is stored in a local text file, delimited for example by newline or comma. Is that possible, and if so, how?

Thanks for your help!

aaron-nimocks · March 22, 2022, 11:54am

You can do this with a few or statements or the second option is using regex where if reply shows up anywhere in the value then it will match.

if [method] == "reply" or [method] == "reply[A]" or [method] == "reply[AAA]"

or

if [method] =~ /reply/

andre22 · March 22, 2022, 3:21pm

Thank you @aaron-nimocks !

I solved it in the meantime, found a similar approach:

if [method] =~ /^repl*/ {mutate { ...

More examples like the one you provided would be great in the documentation.

I am now trying to solve the "look for the string in a file" question.
My approach so far is to use "translate" and "csv", and add a tag or field when the string is found. But for sure there is a more elegant approach?

system · April 19, 2022, 3:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.